[Samba] Samba3 on multiple networks, how to make it hand out the correct IP?

Bram Matthys syzop at vulnscan.org
Wed Sep 24 03:18:05 MDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

First, I see my subject says Samba3, this has to be Samba4.

L.P.H. van Belle wrote, on 24-9-2014 8:31:
> I suggest you setup advanced routing with routing tables. 
> google a bit for it and start with reading..  [..]

Thanks Louis for your reply. I'm sorry if my question caused any confusion.
My problem isn't on the routing side, but on the DNS side of things.

I think your suggestion is to make both networks reachable from either end.
That is not what I want, the clients on network A shouldn't and cannot reach
the clients&server on network B (and vice versa) as a matter of policy.

This should be no problem as long as Samba hands out the "correct" DNS
record: Samba replies to a query for dc1.company.net with two A records, one
of which is in the clients network, and one of which is not. I want Samba to
only reply with one A record: the one that is within the clients' network.

I guess in BIND terms you would call this two "views", but IMO Samba should
be able to figure this out without such complexity.

Now, as for Harry's suggestion...

Harry Jede wrote, on 24-9-2014 10:05:
>> My Samba 4.1.x server is connected to two networks, one in the
>> 192.168.* range (wired) and one in the 10.* range (wifi). The
>> clients on either network normally cannot reach each other.
>> I noticed Samba hands out (eg: for dcname.company.net) it's IP's from
>> both ranges to clients on both sides. So the 192.168.* clients get
>> two A records: 192.168.1.1 & 10.0.0.2.
> 
>> I noticed that, because of this current behavior, domain logins
>> (well, time between login & until the user sees a desktop) have an
>> extra delay of more than 60 seconds because the client tries to
>> connect to the wrong IP. Eventually it works, but the penalty is
>> huge.
> 
>>
>> Given that Samba knows which network the client is on I would have
>> expected it to actually be a little bit smarter with regards to
>> that.
> 
>>
>> Anyway, I'd like to see this changed so that any clients on 192.168.*
>> only get the 192.168.1.1 address, and the clients on 10.* only get
>> 10.0.0.2.
>>
>> How can I do this?
> 
> I dont know how to do this on the dns server, but you may do it on the clients:

Ok. Not really what I want in the end, but it would help as a temporary
quick fix :)

> i.e. modifiy your dns resolver settings
> a working setup on my home networks:
> 
> ## client PC
> # cat /etc/resolv.conf
> domain home.lan
> nameserver 192.168.231.254
> search home.lan ad.schule.lan
> sortlist 192.168.231.0/255.255.255.0
> 
> Important is the sortlist statement. It points to clients local network.
> 
> The Samba/DNS Server has 4 adresses. The nameserver 192.168.231.254 is a
> slave bind server for my ad domain.
> 
> ## client PC
> # host dc0
> dc0.ad.schule.lan has address 192.168.200.254
> dc0.ad.schule.lan has address 192.168.230.228
> dc0.ad.schule.lan has address 192.168.231.228
> dc0.ad.schule.lan has address 192.168.232.228
> 
> # ping -c1 dc0
> PING dc0.ad.schule.lan (192.168.231.228) 56(84) bytes of data.
> 64 bytes from 192.168.231.228: icmp_req=1 ttl=64 time=0.491 ms
> 
> Network clients like ping always uses the local name server address.

I see. Interesting feature.
It would work, except, and sorry for not mentioning this in the first
place.. blunt oversight: all my clients are on Windows 7.
- From what I can see (quick search) Windows 7 doesn't seem to provide that
functionality.

Regards,

Bram.

- -- 
Bram Matthys
Software developer/IT consultant        syzop at vulnscan.org
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlQijE0ACgkQbmdtRX/hmabr/gD9FbzZOwdjIvhuXvKqCy/2llN4
iytzs69ccaHItuSWey0A/jg7q6cUjNBCFIXQwVPukbjVMfX9SHP/cmz8z+m9zIoQ
=Ehfc
-----END PGP SIGNATURE-----


More information about the samba mailing list